GDPR Compliance in 2026: Principles, Rights & How to Prove It

GDPR Compliance in 2026: Principles, Rights & How to Prove It

GDPR compliance means processing the personal data of people in the EU and EEA strictly in line with Regulation (EU) 2016/679 — relying on a documented lawful basis, respecting the seven principles of Article 5, honouring data subject rights, securing the data under Article 32, notifying breaches within 72 hours, and, under the accountability principle, being able to prove all of it on demand. Eight years after it became enforceable on 25 May 2018, GDPR is no longer a project with an end date: it is the baseline operating standard for any B2B company that touches European data, and the single rulebook other European laws — NIS2, DORA, the EU AI Act — now build on.

This pillar is the head-term guide to the whole framework. For the deep article-by-article mechanics — data processing agreements, security measures, and breach notification — see our companion reference on GDPR Articles 28, 32, 33 & 34.

Key Takeaways

• GDPR is built on seven principles (Article 5) and six lawful bases (Article 6). Every processing activity needs at least one documented lawful basis before it begins.
• Accountability is the principle that turns compliance into evidence. You must not only comply — you must be able to demonstrate compliance with records, policies, and DPIAs.
• Enforcement is accelerating, not cooling. Regulators issued ~€1.2 billion in fines in 2025; Q1 2026 fines were up nearly 400% year-on-year, led by France's CNIL and the UK's ICO.
• The map is diverging. The UK's Data (Use and Access) Act 2025 makes UK GDPR materially more flexible from February 2026, while Norway and the EEA stay on unmodified EU GDPR — cross-border firms must run to the stricter standard.
• GDPR evidence is reusable. The same records, TOMs, and certificates that prove GDPR also answer NIS2, DORA, and customer security questionnaires — if you centralise them in a European Trust Center.

Jump to:

• Who must comply with GDPR
• The 7 GDPR principles (Article 5)
• The 6 lawful bases (Article 6)
• Data subject rights (Articles 12–22)
• Core obligations and the 2026 checklist
• Fines and enforcement in 2025–2026
• What changed in 2026: omnibus, transfers, AI
• GDPR beyond the EU-27: UK and Norway
• GDPR, NIS2 and DORA: one evidence base
• From GDPR evidence to a European Trust Center

---

Who Must Comply with GDPR

GDPR applies to the processing of personal data wherever the data subject is in the EU or EEA — not wherever the company is. Under Article 3 (territorial scope), the Regulation reaches any organisation that is either established in the Union, or that offers goods or services to people in the Union, or that monitors their behaviour. A SaaS vendor in São Paulo or San Francisco selling to a Munich customer is squarely in scope.

Two roles matter, and most B2B companies hold both at once:

• Controller — you decide why and how personal data is processed. For your own employee, prospect, and customer-contact data, you are a controller.
• Processor — you process personal data on behalf of another controller, on their documented instructions. For the data your customers load into your platform, you are their processor.

This dual role is why GDPR compliance is never just a privacy-policy exercise. As a controller you owe duties to data subjects; as a processor you owe duties to your customers under Article 28 data processing agreements. Getting both directions right is the difference between passing a procurement security review and losing the deal.

The 7 GDPR Principles (Article 5)

Everything in GDPR flows from the seven principles in Article 5. The first six are in Article 5(1); the seventh, accountability, is in Article 5(2) and is the one that turns "we comply" into "we can prove it."

#	Principle (Article)	What it requires in practice
1	Lawfulness, fairness, transparency — Art. 5(1)(a)	Process on at least one Article 6 lawful basis; don't use data in unexpected or misleading ways; tell people clearly what you do via privacy notices.
2	Purpose limitation — Art. 5(1)(b)	Collect for specified, explicit and legitimate purposes; don't repurpose data in an incompatible way. Research, archiving and statistics under Art. 89(1) are not deemed incompatible.
3	Data minimisation — Art. 5(1)(c)	Collect only data that is adequate, relevant and limited to what is necessary for the purpose.
4	Accuracy — Art. 5(1)(d)	Keep data accurate and, where necessary, up to date; erase or rectify inaccurate data without delay.
5	Storage limitation — Art. 5(1)(e)	Keep data in identifiable form no longer than necessary; longer only for Art. 89(1) archiving/research with safeguards.
6	Integrity and confidentiality — Art. 5(1)(f)	Ensure appropriate security using technical and organisational measures — the hook into Article 32.
7	Accountability — Art. 5(2)	The controller is responsible for, and must be able to demonstrate, compliance with principles 1–6.

The accountability principle is the quiet centre of gravity. A regulator's first question after an incident is rarely "were you compliant?" — it is "show me." Records of processing activities (Article 30), your DPIAs (Article 35), your TOMs, and your processor due diligence are the artefacts that answer it. Organisations that store this evidence as scattered email threads and spreadsheets fail the accountability test even when their underlying practices are sound.

The 6 Lawful Bases (Article 6)

Processing is lawful only if at least one of the six bases in Article 6(1) applies. Choosing — and documenting — the right basis for each activity is the most common gap auditors find.

1. Consent — Art. 6(1)(a). Freely given, specific, informed and unambiguous, for one or more specific purposes. The highest-friction basis: it must be as easy to withdraw as to give.
2. Contract — Art. 6(1)(b). Processing necessary to perform a contract with the data subject, or to take pre-contractual steps at their request.
3. Legal obligation — Art. 6(1)(c). Processing necessary to comply with an EU or Member State legal obligation that applies to you.
4. Vital interests — Art. 6(1)(d). Processing necessary to protect someone's life or physical integrity — typically emergencies.
5. Public task — Art. 6(1)(e). Processing necessary for a task in the public interest or official authority laid down in law. Mostly for public bodies.
6. Legitimate interests — Art. 6(1)(f). Processing necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's rights — a documented balancing test, never available to public authorities acting in their official capacity.

A practical rule: don't default everything to consent. For B2B SaaS, contract and legitimate interests usually carry most processing, with consent reserved for marketing and non-essential cookies. Mislabelling the basis — for example, relying on legitimate interests where you actually needed consent — is itself a breach.

Data Subject Rights (Articles 12–22)

GDPR gives individuals enforceable rights that you must be able to action, usually within one month (extendable by two months for complex requests under Article 12(3)):

• Information (Articles 13–14) — transparent privacy notices at collection.
• Access (Article 15) — a copy of their data and the processing details, on request (a DSAR).
• Rectification (Article 16) — correction of inaccurate data.
• Erasure / "right to be forgotten" (Article 17).
• Restriction of processing (Article 18).
• Data portability (Article 20) — a structured, machine-readable export.
• Objection (Article 21) — including an absolute right to object to direct marketing.
• Rights related to automated decision-making and profiling (Article 22).

The 2026 regulatory focus has sharpened here. The EDPB's coordinated enforcement priority moved toward transparency obligations (Articles 12–14), and the UK's reform (below) explicitly rewrites the rules around DSAR effort and automated decisions — so rights handling is where divergence is now most visible.

Core Obligations and the 2026 Checklist

The principles and rights translate into a concrete set of operational obligations. This is the head-term checklist; each row links to the deeper reference where one exists.

Obligation	Article	What "done" looks like
Records of Processing Activities (RoPA)	Art. 30	A maintained inventory of every processing activity, purpose, basis, and recipient.
Lawful basis per activity	Art. 6	A documented basis mapped to each activity in the RoPA.
Privacy notices	Arts. 12–14	Clear, accessible notices at every collection point.
Data subject rights workflow	Arts. 15–22	A repeatable process to action DSARs within one month.
Data Processing Agreements	Art. 28	A signed DPA with every processor, plus a maintained subprocessor list.
Technical & organisational measures	Art. 32	Documented security controls proportionate to risk (encryption, access control, resilience, testing).
DPIAs for high-risk processing	Art. 35	A completed impact assessment before high-risk processing begins.
Data Protection Officer	Art. 37	A DPO appointed where required (large-scale monitoring or special-category data).
Breach notification — authority	Art. 33	Notify the supervisory authority within 72 hours of becoming aware.
Breach communication — data subjects	Art. 34	Inform affected individuals without undue delay where the risk is high.
International transfer safeguards	Arts. 44–49	SCCs, adequacy, or another Chapter V mechanism for every transfer outside the EEA.

If you can produce evidence for each of these rows on demand, you are not just compliant — you are demonstrably compliant, which is the accountability standard. The recurring failure mode is the gap between practice and proof: organisations that do the right thing but cannot show it on a regulator's or buyer's timeline.

Fines and Enforcement in 2025–2026

Article 83 sets two penalty tiers, each "whichever is higher":

• Lower tier — up to €10 million or 2% of total worldwide annual turnover (e.g. RoPA, processor, breach-notification failures).
• Upper tier — up to €20 million or 4% of total worldwide annual turnover (e.g. breaches of the principles, lawful basis, or data subject rights).

The numbers are no longer theoretical. Cumulative GDPR fines since 2018 are tracked at roughly €6.3 billion by the CMS Enforcement Tracker, with the largest single fine still Meta's €1.2 billion Irish decision. Regulators issued on the order of €1.2 billion in 2025 alone, including the Irish DPC's €530 million fine against TikTok for unlawful transfers, recorded in the EDPB's 2025 annual report.

The 2026 signal is the pace. According to enforcement trackers, Q1 2026 fines reached about €68 million across Europe — nearly a 400% increase on the ~€13.8 million in Q1 2025. France's CNIL drove much of it with roughly €47 million (including €27 million against Free Mobile, €15 million against Free, and €5 million against France Travail), while the UK's ICO issued about €16.9 million, headlined by a landmark fine against Reddit over children's data and age assurance. The direction of travel is clear: enforcement is broadening from headline Big Tech cases toward routine, mid-market accountability failures.

What Changed in 2026: Omnibus, Transfers, AI

Three moving parts every European compliance lead should track in 2026:

The GDPR Procedural Regulation. Proposed by the Commission on 4 July 2023 to streamline cross-border, one-stop-shop enforcement, and politically agreed in June 2025, the reform is intended to standardise cooperation timetables and procedural rights (right to be heard, access to the file) across DPAs. Until the final text is formally published and applicable, treat it as an enforcement-direction signal rather than a new operational deadline.

The "Digital Omnibus" simplification. Published on 19 November 2025, the Commission's Digital Omnibus package proposes to simplify parts of the EU data rulebook — including GDPR recordkeeping and operational obligations — and is being negotiated alongside adjustments to the AI Act timeline. As of mid-2026 it is not yet final; treat it as a direction, not a done deal, and don't dismantle controls in anticipation.

Transfers and the Data Privacy Framework. The EU-US Data Privacy Framework adequacy decision (2023) was upheld by the General Court on 3 September 2025 in Latombe v Commission (T-553/23), but the case is on appeal. The DPF remains operationally valid for now; prudent organisations keep SCCs as a fallback in case the appeal disturbs it.

GDPR and the EU AI Act. The AI Act (in force 1 August 2024) does not replace GDPR. AI systems that process personal data still need a lawful basis, data minimisation, transparency, and — frequently — a DPIA. The AI Act layers separate obligations on top, with transparency rules (including AI-content labelling) applying from 2 August 2026 and high-risk timelines extended by a May 2026 political agreement. For more, see our EU AI Act compliance guide.

GDPR Beyond the EU-27: UK and Norway

GDPR compliance is a European problem, not an EU-27 one — and the map is now actively diverging.

United Kingdom. Post-Brexit, the UK retained EU GDPR as "UK GDPR" alongside the Data Protection Act 2018, regulated by the ICO. The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, with most data-protection provisions commencing 5 February 2026. Key divergences from EU GDPR:

• "Recognised legitimate interests" that do not require a balancing test for specified purposes (e.g. crime prevention, safeguarding, emergencies).
• Relaxed automated decision-making rules for non-sensitive data, with safeguards focused on "significant decisions" and special-category data.
• A "reasonable and proportionate" DSAR search standard with a "stop-the-clock" provision while you seek clarification.
• A "not materially lower" adequacy/transfer test, replacing the EU's stricter "essentially equivalent" standard.
• PECR (cookie) fines aligned with GDPR levels — up to £17.5 million or 4% of global turnover — and the ICO restructured into the Information Commission.

Norway and the EEA. Norway is not an EU member but applies unmodified EU GDPR via the EEA Agreement (incorporated by EEA Joint Committee Decision No. 154/2018), implemented through the Personal Data Act (personopplysningsloven) in force since 20 July 2018 and supervised by Datatilsynet. Norway has no "recognised legitimate interests" carve-out, keeps the full Article 22 automated-decision constraints, and applies the "essentially equivalent" adequacy standard — so it tracks the EU, not the UK.

The practical consequence for any firm operating across the UK and EU/EEA: where both regimes apply, you must comply with the stricter one. UK flexibilities do not travel into the EEA, and building to the EU baseline keeps you compliant in Norway, Germany, France, the Netherlands, and the UK simultaneously.

GDPR, NIS2 and DORA: One Evidence Base

GDPR no longer stands alone. The EU's cybersecurity and resilience laws reuse the same control vocabulary, and the evidence overlaps heavily:

Requirement	GDPR	NIS2	DORA
Risk-based security measures	Art. 32	Art. 21(2)	Arts. 5–15 (ICT risk)
Incident / breach reporting	Arts. 33–34 (72h)	Art. 23 (24h early warning)	Art. 19 (major ICT incidents)
Third-party / supply-chain assurance	Art. 28 (processors)	Art. 21(2)(d)	Arts. 28–30 (ICT providers)
Governance & accountability	Art. 5(2)	Art. 20 (management liability)	Art. 5 (management body)

A company subject to all three doesn't need three programmes — it needs one evidence base mapped to three regimes. Your Article 32 TOMs largely satisfy NIS2 Article 21(2); your Article 28 processor due diligence is the spine of DORA third-party risk management. Treating them as separate projects is how compliance budgets get wasted. See our guides to the NIS2 Directive and DORA compliance for the cross-mapping in depth.

From GDPR Evidence to a European Trust Center

The accountability principle and Article 28(3)(h) create the same operational need from two directions: you must produce evidence — to regulators (inbound) and to customers (outbound). A Trust Center is where that evidence lives.

As a controller, a Trust Center structures due diligence on your own processors: their DPAs, TOMs, subprocessor lists, and certificates, maintained and monitored rather than re-collected each year. As a processor, it answers your customers' Article 28(3)(h) requests — DPA, TOMs, ISO 27001/SOC 2 reports, subprocessor list, RoPA extracts — from one access-controlled, always-current place, instead of a fresh email thread and a manual document hunt for every deal.

For European buyers, the data-residency dimension matters too: a Trust Center hosted in the EU sidesteps the transfer questions that the Latombe appeal keeps alive. With continuous monitoring, the evidence stays current automatically, so accountability stops being a quarterly scramble and becomes a standing capability. That is the shift this whole framework rewards: from doing compliance to demonstrating it.

Turn GDPR evidence into a buyer-ready European Trust Center. See how Orbiq centralises your DPAs, TOMs and certificates so every regulator and prospect gets a current answer on the first request.

---

Sources & References

1. Regulation (EU) 2016/679 (GDPR) — Full Text — Official Journal of the European Union.
2. gdpr-info.eu — Article 5 (Principles relating to processing) — The seven principles.
3. gdpr-info.eu — Article 6 (Lawfulness of processing) — The six lawful bases.
4. gdpr-info.eu — Article 83 (General conditions for administrative fines) — The two penalty tiers.
5. CMS GDPR Enforcement Tracker — Statistics — Cumulative fines and largest individual penalties.
6. EDPB Annual Report 2025 — TikTok €530M and 2025 enforcement.
7. GDPR Fines Q1 2026 Surge — Acompli — Q1 2026 fines (~€68M), CNIL and ICO actions.
8. European Commission — GDPR Procedural Regulation — Cross-border enforcement reform and June 2025 political agreement.
9. Reed Smith — The Great GDPR Divergence: UK DUAA vs EU Omnibus — UK/EU divergence analysis.
10. DLA Piper — UK Commencement of DUAA Data Protection Provisions (Feb 2026) — DUAA in force 5 February 2026.
11. ICO — Data (Use and Access) Act 2025 — UK regulator guidance.
12. Datatilsynet — Norwegian Data Protection Authority — Norway's GDPR via the EEA.
13. General Court — Latombe v Commission (T-553/23) — EU-US Data Privacy Framework upheld 3 September 2025 (on appeal).

---

Related Reading

• GDPR Articles 28, 32, 33 & 34: The Article Reference
• Subprocessor Management under GDPR Article 28
• The NIS2 Directive: Requirements, Deadlines & Enforcement
• DORA Compliance for Financial Entities
• What Is a European Trust Center?
• Continuous Monitoring